b"U.S. DEPARTMENT OF COMMERCE\n           Office of Inspector General\n\n\n\n\n                   Office of the Secretary\n\n\nFederal Information Security Management Act\n            Audit Identified Significant Issues\n             Requiring Management Attention\n\n\n                          Final Report OIG-11-012-A\n\n                                  November 15, 2010\n\n\n\n\n                FOR PUBLIC RELEASE\n\n\n\n                       Office of Audit and Evaluation\n\x0c\x0c\x0c                              Report In Brief\n                                    U.S. Department of Commerce, Office of Inspector General\n                                                         November 15, 2010\n\nWhy We Did This Review Office of the Secretary\nThe Federal Information\nSecurity Management Act           Federal Information Security Management Act Audit\nof 2002 (FISMA) requires          Identified Significant Issues Requiring Management\nagencies to secure their in-      Attention (OIG-11-012-A)\nformation systems, commen-\nsurate with the risk of loss or\n                                  What We Found\nunauthorized use of system\ndata. Inspectors general must\nannually evaluate agency in-      The Department\xe2\x80\x99s information security program and practices are not adequately secur-\nformation security programs       ing Department systems, and we are concerned that the likelihood and severity of secu-\nby assessing a representa-        rity breaches are considerably greater than what is currently perceived by management.\ntive sample of such systems,      The following table summarizes our major audit findings:\nand reporting the results to\nthe Office of Management          Measure                        Finding\nand Budget (OMB) and to           High-risk vulnerabilities      Extensive vulnerabilities in system software suggest consid-\nCongress.                         identified?                    erable likelihood of a security breach; patch management\n                                                                 and vulnerability scanning practices are not effective. Scans\n                                                                 identified significantly more high-risk vulnerabilities than were\n                                                                 previously known.\n                                  Configuration settings         Only 4 of 18 systems (one high-impact) adequately defined\nBackground                        defined and documented?        and documented secure settings for operating systems and\n                                                                 major applications. This is a long-standing deficiency in a cru-\n                                                                 cial security practice.\nThe Department and its\n                                  Configuration settings         Only one system securely configured settings for its operating\noperating units use over 300      securely implemented?          systems.\ninformation technology (IT)\n                                  Security weaknesses and      Most systems exhibited significant deficiencies in reporting\nsystems; this year we as-         corrective actions adequate- and tracking security weaknesses. As a result, the information\nsessed security controls of 18    ly reported and tracked?     about corrective action that the Department is using for perfor-\nsystems, from six different                                    mance measurement is inaccurate and inconsistent.\noperating units.                  Contingency plans              Six of 18 systems\xe2\x80\x99 contingency plans were inadequately tested,\n                                  adequately tested?             including 2 systems that support the primary mission-essential\n                                                                 weather forecasting function; testing of these 2 systems\xe2\x80\x99 con-\nSecurity weaknesses have                                         tingency plans had not been done since FY 2007.\nbeen a long-standing              Alternate processing sites     Five systems that are required to have alternate processing\nproblem for Commerce,             arranged?                      sites do not have them, including three systems\xe2\x80\x94two high-im-\nparticularly with respect to                                     pact and one moderate-impact\xe2\x80\x94that support weather forecast-\n                                                                 ing. Documents attribute the lack of alternate sites primarily to\nsecurity planning, configura-                                    budget constraints.\ntion settings, and control\nassessments. This year\xe2\x80\x99s\nreview focused on Depart-\nment-wide issues that require     What We Recommend\npolicy improvements and\nincreased management atten-\ntion.                             We recommend that the Department revise its information security policy by providing\n                                  specific implementation guidance that will ensure better and more consistent practices\n                                  across the Department. Further, increased management attention is required to ensure\n                                  that the deficiencies identified are rectified Department-wide.\n\x0cU.S. Department of Commerce                                                                               Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                                           November 15, 2010\n\n\n                                                                Contents\n\nIntroduction ..................................................................................................................................... 1\xc2\xa0\nFindings .......................................................................................................................................... 3\xc2\xa0\n   I.\xc2\xa0 Significant Vulnerabilities in Commerce Information Systems Increase Risk of Serious\n   Breach.......................................................................................................................................... 3\xc2\xa0\n      A.\xc2\xa0 System Components Operate with Many Significant Software Flaws ............................. 4\xc2\xa0\n      B.\xc2\xa0 Information Technology Systems Are Not Securely Configured, Reducing Their Ability\n      to Withstand Attack ................................................................................................................. 6\xc2\xa0\n   II.\xc2\xa0 Departmental Process for Reporting and Tracking IT Security Weaknesses and\n   Corrective Action Is Deficient .................................................................................................... 7\xc2\xa0\n      A.\xc2\xa0 Plans of Action and Milestones Lack Information Needed for Tracking and Oversight .. 7\xc2\xa0\n      B.\xc2\xa0 Reporting and Tracking Process Lacks Controls over Data Integrity ............................... 8\xc2\xa0\n   III.\xc2\xa0 Contingency Planning Weaknesses Threaten Operating Units\xe2\x80\x99 Ability to Restore System\n   Data and Operations After Disruption ........................................................................................ 9\xc2\xa0\n      A. Contingency Plans Are Not Adequately Tested ................................................................ 9\xc2\xa0\n      B. Systems Lack Alternate Processing Sites, Increasing the Risk of Not Being Available\n      When Needed ........................................................................................................................ 10\xc2\xa0\n   IV.\xc2\xa0 Persistent Deficiencies in Security Plans and Control Assessments Reduce Overall Level\n   of Information Assurance .......................................................................................................... 11\xc2\xa0\nRecommendations ......................................................................................................................... 12\xc2\xa0\nSummary of Department Response .............................................................................................. 13\xc2\xa0\nAppendix A: Objectives, Scope, and Methodology ..................................................................... 14\xc2\xa0\nAppendix B: Full Text of Department Response.......................................................................... 17\xc2\xa0\n\x0cU.S. Department of Commerce                                                      Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                  November 15, 2010\n\n\n                                              Introduction\nThe Department of Commerce and its constituent operating units use over 300 information\ntechnology (IT) systems to fulfill cross-cutting responsibilities in trade, technology,\nentrepreneurship, economic development, environmental stewardship, and statistical research\nand analysis. These systems perform functions as varied as processing census and economic\ndata, managing patent and trademark applications, and controlling weather satellites. The\nDepartment and its operating units must ensure that these systems maintain the confidentiality,\nintegrity, and availability of information by providing protection from a growing range of\nmalicious actors who can leverage the globally interconnected information and communications\ninfrastructure to launch attacks. The systems must also be guarded against insider threats,\nphysical intrusion, and disaster.\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies to secure\nsystems through the use of cost-effective management, operational, and technical controls. The\ngoal is to provide adequate security commensurate with the risk and magnitude of harm resulting\nfrom the loss, misuse, or unauthorized access to or modification of information collected or\nmaintained by or on behalf of an agency. In addition, FISMA requires inspectors general to\nevaluate agencies\xe2\x80\x99 information security programs and practices by assessing a representative\nsubset of agency systems, and report the results to the Office of Management and Budget (OMB)\nand Congress annually.\nWe assessed information security controls and security-related documentation of 18 systems\nselected from six operating units, including three systems from the U.S. Patent and Trademark\nOffice (USPTO), which files its own performance and accountability report separate from the\nDepartment. The operating units categorized these systems as high- or moderate-impact, based\nupon how severely a security breach would affect organizational operations, assets, or\nindividuals.1 Seven of the systems that we reviewed support three of the Department\xe2\x80\x99s four\nprimary mission-essential functions, those that directly support government functions necessary\nto lead and sustain the nation during a catastrophic emergency.2 This aspect of these systems\nadds importance to one focus of this report: contingency planning requirements necessary to\nminimize the impact of disruptions.\nDetails of our objectives, scope (including a complete list of systems reviewed), and\nmethodology are described in appendix A.\n\n\nIT Security Roles and Responsibilities\nUnder FISMA and Department policy, IT security is a shared responsibility of senior program\nofficials and the Chief Information Officer (CIO). While the Secretary of Commerce is\nultimately responsible for ensuring the security of the Department\xe2\x80\x99s information and information\n\n\n1\n  See Standards for Security Categorization of Federal Information and Information Systems, Federal Information\n   Processing Standards Publication 199, National Institute of Standards and Technology, February 2004.\n2\n  See U.S. Department of Commerce, \xe2\x80\x9cEmergency Readiness for Departmental Continuity,\xe2\x80\x9d\n   www.osec.doc.gov/omo/dmp/daos/dao210_1.html, accessed October 25, 2010.\n\n\n                                                        1\n\x0cU.S. Department of Commerce                                                     Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                 November 15, 2010\n\n\nsystems, senior officials must manage and supervise the IT security programs in their respective\noperating units.\nThe CIO has a range of responsibilities, chief among them to develop and maintain the IT\nsecurity policy; to designate a Chief Information Security Officer; and to monitor, evaluate, and\nreport to the Secretary on the status of IT security within the Department. The Chief Information\nSecurity Officer directs the management of the Department\xe2\x80\x99s IT security program, a task that\nincludes coordinating IT security compliance across operating units and developing policies,\nplans, control techniques, and procedures for systems.\nOperating units have roles and responsibilities that parallel those at the Department level, with\nthe operating unit head ultimately responsible for the security of the operating unit\xe2\x80\x99s systems. In\naddition, authorizing officials, who have the authority to oversee an information system\xe2\x80\x99s budget\nand operations, assume the responsibility for operating IT systems at an acceptable level of risk.\nNotably, authorizing officials also approve system security requirements and security plans.\nSystem owners must ensure that a system is deployed and operated in accordance with security\nrequirements. System security officers ensure that operational security is appropriately\nmaintained and play an active role in developing and updating system security plans.\nCertification agents independently assess a system\xe2\x80\x99s security controls, including an initial\nassessment of the security plan to determine whether the controls described adequately meet\napplicable security requirements.\n\nDepartment Efforts to Improve IT Security\nIn response to a September 2009 Office of Inspector General (OIG) audit of the Department\xe2\x80\x99s IT\nsecurity workforce,3 the Department established a policy, effective for all operating units,\nrequiring mandatory training for those employees with significant IT security responsibilities.\nThe policy identifies specific IT security roles, defines yearly minimum training hours, and\nrequires professional certifications for those with critical IT security roles. The Department has\nalso implemented a cyber security employee development program designed to assist individuals\nwho have not earned an approved industry professional security certification. In FY 2010, 20\nindividuals became the first graduates of the program.\nA key aspect of the IT security challenge is maintaining and enforcing effective IT security\npolicies across the Department. Commerce operating units have separate management structures\nthat preclude direct accountability of their CIOs to the Department\xe2\x80\x99s CIO. This decentralization\ngives the Department\xe2\x80\x99s CIO only limited authority to ensure operating units\xe2\x80\x99 compliance with IT\nsecurity policy and adds complexity to Department-wide information security initiatives.\nNotwithstanding this challenge, the CIO, along with the CIO Council, has developed a strategic\nplan that seeks \xe2\x80\x9cfederated\xe2\x80\x9d approaches in two priority IT security initiatives: enterprise\ncontinuous monitoring and an enterprise security operations center. The plan is currently targeted\nfor FY 2012. In this report, we identify deficiencies that require more immediate management\nattention.\n\n\n\n3\n    U.S. Department of Commerce, Office of Inspector General, September 2009. Commerce Should Take Steps to\n    Strengthen Its IT Security Workforce, Report No. CAR-19569-1.\n\n\n                                                        2\n\x0cU.S. Department of Commerce                                                        Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                    November 15, 2010\n\n\n                                                   Findings\nSignificant vulnerabilities exist in nearly all of the systems we selected for review. The scope of\nthe vulnerabilities, categorized as high-risk, suggests that the likelihood and severity of a breach\nin the confidentiality, integrity, or availability of Department data are greater than what is\ncurrently understood by management. This previously unknown risk stems from inadequate\nvulnerability scanning, which has not sufficiently identified high-risk flaws, and poor patch\nmanagement practices. In addition, we continue to find insecure configuration settings in system\ncomponents.\nThe process for tracking vulnerabilities is deficient, and an inaccurate and inconsistent view of\nrisk and remediation exists across the Department. Of further concern, contingency plans for 6 of\nthe 18 systems reviewed have not been adequately tested. Five systems required to have alternate\nprocessing sites do not have them. As a result, the ability of these systems to adequately recover\nfrom a disruption\xe2\x80\x94and some of these systems support primary mission-essential functions\xe2\x80\x94is\nin doubt.\nIn addition, nearly all of the systems that we reviewed lacked security planning and effective\nassessment of security controls\xe2\x80\x94conditions that we have consistently identified in previous\nyears. Unless Department executives take action to appropriately mitigate and consistently\nmanage risk, the Department\xe2\x80\x99s systems will remain unacceptably vulnerable to cyber attacks and\nother threats to information security.\n\n\n\n    I.     Significant Vulnerabilities in Commerce Information Systems Increase Risk\n           of Serious Breach\nDepartment policy\xe2\x80\x94which, for \xe2\x80\x9cflaw remediation,\xe2\x80\x9d is based entirely on the minimum security\nrequirements for federal systems4\xe2\x80\x94requires the organization to identify, report, and correct\nsoftware flaws that result in potential security vulnerabilities. Newly released security patches,\nservice packs, and \xe2\x80\x9chotfixes\xe2\x80\x9d must be promptly installed, and flaws discovered during security\nassessments must be addressed expeditiously. Further, operating units are required to conduct\nvulnerability scanning (automated detection of software flaws and malicious code in system\ncomponents) quarterly or when significant new vulnerabilities potentially affecting the system\nare identified and reported (for example, in a bulletin from a software manufacturer).\nIn addition, operating units must establish mandatory configuration settings (parameters that\ngovern software\xe2\x80\x99s behavior) for information technology products, configure security settings to\ntheir most restrictive mode, document the settings, and enforce them in all components of the\ninformation system. Operating units must also assess configuration settings of IT products at\nleast annually. Settings not securely configured represent potential vulnerabilities and pose risks\nsimilar to those of software flaws.\n\n\n\n4\n    Flaw remediation is required control SI-2 in Recommended Security Controls for Federal Information Systems,\n     Special Publication 800-53, Revision 2, National Institute of Standards and Technology, December 2007.\n\n\n                                                          3\n\x0cU.S. Department of Commerce                                                            Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                        November 15, 2010\n\n\nTo validate the extent to which these requirements are met across the Department, we analyzed\nthe results of network vulnerability scans performed on 14 systems.5 We assessed the extent to\nwhich secure configuration settings were established on all 18 systems by reviewing system\ndocumentation and examining settings implemented in components using automated and manual\nmethods.\n\n       A. System Components Operate with Many Significant Software Flaws\nVulnerability scans of 1,063 computers in 14 systems revealed a total of 13,778 instances of\npotentially high-risk vulnerabilities; 11 non-USPTO systems (1,003 computers) accounted for\n12,626 of the vulnerabilities and 3 USPTO systems (60 computers) had a total of 1,152\nvulnerabilities.6 We performed 12 of the system scans and utilized the results of 2 system scans\nthat the National Oceanographic and Atmospheric Administration (NOAA) adequately executed\nduring our fieldwork. We have shared system-specific results with the operating units, and they\nare currently taking corrective action to remediate the vulnerabilities identified.\nThese vulnerabilities may provide an attacker with immediate access into a computer system,\nsuch as allowing remote execution of malicious commands. Vulnerabilities identified by the\nscans may be exploited by software tools freely available on the Internet. The flaws exist in both\noperating systems and application software.\nFactors contributing to the existence of extensive software flaws include insufficient flaw\nremediation and vulnerability scanning policy, procedures, and practices. Risk can be reduced by\ntimely remediation of flaws, often referred to as effective patch management. The large number\nof instances of vulnerabilities indicates that operating units are not promptly installing patches\nand other software fixes. In fact, we found instances of flawed software where the patches to fix\nthe vulnerabilities had been available from the manufacturer for up to 5 years.\nAlthough Department policy is in compliance with the minimum requirements set by National\nInstitute of Standards and Technology (NIST), it does not adequately reduce vulnerabilities. This\nis due, in part, to the lack of provisions for senior management to ensure that flaw remediation is\nadequately performed. Our review of system documentation revealed that 11 of the 18 systems\neither had deficient patch management practices, or they were considered a \xe2\x80\x9cplanned control\xe2\x80\x9d\n(meaning that the systems did not currently have complete patch management procedures, but\nsystem owners planned to develop and implement them at some point in the future). This\nsecurity control is critical to ensuring that systems are adequately protected.\nBeyond requiring operating units to scan on a quarterly basis, Department policy includes no\nspecifications for the depth and breadth of scanning. For example, no requirement exists for the\nuse of credentialed scans, which utilize administrator-level, privileged access to allow a scanning\ntool to perform a more exhaustive and accurate examination of a system. The policy also leaves\nuncertain what vulnerability checks a scanner must employ. As we found, this has resulted in\ninconsistent practices across the Department.\n\n\n5\n    See appendix A, Objectives, Scope, and Methodology, for details of our vulnerability scan assessment.\n6\n    The vulnerabilities identified may include false-positives, which potentially include conditions not accurately\n     reported by the scanners. However, our scanning practices, which include the use of administrator-level\n     credentials, tend to minimize the number of false positives.\n\n\n                                                             4\n\x0cU.S. Department of Commerce                                              Final Report No. OIG-11-012-A\nOffice of Inspector General                                                          November 15, 2010\n\n\nSome operating units either were not performing credentialed scans or had only recently begun\ncredentialed scanning. One operating unit\xe2\x80\x99s quarterly scanning focused on a very limited set of\nthe top 20 vulnerabilities identified by a private security organization. As tables 1 and 2\nillustrate, more thorough scanning, to include credentials and sufficient vulnerability checks, is\nnecessary to ensure that software flaws are sufficiently identified.\nWe compared our non-USPTO assessment results with operating units\xe2\x80\x99 most recent quarterly\nscans and included both in table 1. On average, we identified over 3 times as many high-risk\nvulnerabilities per computer than were identified by the operating units\xe2\x80\x99 quarterly scans. The\nscans for our assessment identified 4.2 vulnerabilities per computer, compared with 1.3 per\ncomputer identified by the operating units\xe2\x80\x99 quarterly scans of the same systems, after adjusting\nfor one NOAA system that was a statistical outlier. This NOAA system accounted for 9,299\ninstances (74 percent) of the vulnerabilities, although NOAA has since made progress by\ninstalling patches that have significantly reduced this number.\n\n           Table 1. Comparison of Vulnerability Scans Conducted on\n                       Selected Non-USPTO Systems\n                                    Systems         Computers         High-Risk      Vulnerabilities\n Basis for Scan                     Scanned           Scanned     Vulnerabilities    per Computera\nOperating Unit Quarterly                  10              1,427            1,842                 1.3\n(including outlier system)              (11)            (1,509)          (1,916)               (1.3)\nOIG FISMA Audit                           10                784            3,327                 4.2\n(including outlier system)              (11)            (1,003)         (12,626)             (12.6)\na\n    High-Risk Vulnerabilities / Computers Scanned\nSource: OIG and operating unit scans\n\n\nFindings from our vulnerability assessment for three USPTO systems are presented in table 2.\nParticularly for the two systems in our subset operated by USPTO, our scans identified many\nmore vulnerabilities per computer than USPTO\xe2\x80\x99s annual scan (30.5 versus 1.7). USPTO did not\nperform quarterly scanning of these two systems, as mandated by policy. The third USPTO\nsystem, operated by a contractor, was scanned quarterly. The contractor\xe2\x80\x99s quarterly scans were\ncomprehensive, identifying the same number of high-risk vulnerabilities per computer (14.7) as\nour audit scan.\n\n\n           Table 2. Comparison of Vulnerability Scans Conducted on\n                          Selected USPTO Systems\n                                    Systems         Computers         High-Risk      Vulnerabilities\n Basis for Scan                     Scanned           Scanned     Vulnerabilities    per Computera\nUSPTO Quarterly                            2                322              537                 1.7\n(including contractor system)            (3)            (1,503)         (17,856)             (11.9)\nOIG FISMA Audit                            2                 17              518               30.5\n(including contractor system)            (3)               (60)          (1,152)             (19.2)\na\n    High-Risk Vulnerabilities / Computers Scanned\nSource: OIG and USPTO scans\n\n\n\n\n                                                      5\n\x0cU.S. Department of Commerce                                                   Final Report No. OIG-11-012-A\nOffice of Inspector General                                                               November 15, 2010\n\n\n      B. Information Technology Systems Are Not Securely Configured, Reducing Their Ability\n         to Withstand Attack\nSecure configuration checklists, which document tailored security settings for IT products, were\nnot adequately defined in 14 of the 18 systems. We reviewed documentation for operating\nsystems and major applications (such as database management systems, Web servers, and\ndomain name servers); only four systems had adequately defined secure configuration checklists.\nIn addition, we assessed actual operating system and database (where applicable) configuration\nsettings implemented in system components by comparing them against either the system\xe2\x80\x99s\ntailored checklist or, if no tailored checklist existed, an industry benchmark. Only one system\nhad securely configured settings implemented for its operating systems (it did not include\ndatabases). (See table 3.)\n\n\n\n       Table 3. Compliance With Configuration Settings Requirements\nSystem                             Systems                      Systems with                Systems with\nCategorization                    Assessed                 Defined Checklists            Secure Settingsa\nHigh Impact                              6                                  1                           0\nModerate\nImpact                                     12                                 3                             1\n  Total                                    18                                 4                             1\na\n We did not assess the implemented settings in one NOAA system due to concerns about            its high-\navailability operational requirements during hurricane season.\nSource: OIG\n\n\nDepartment systems are not in compliance with requirements for configuration settings\xe2\x80\x94\nrequirements important enough that we must report to OMB separately on them each year.\nSecurely configured settings have the potential to compensate for other types of vulnerabilities\nand can limit the impact of cyber attacks. We have consistently reported on configuration\nsettings deficiencies in our annual FISMA work. These recurring findings suggest the need for\nincreased management attention and improved policy at the Department level.\nCurrent policy requires specific configurations for workstations running Windows\xc2\xae operating\nsystems, in accordance with a federal mandate.7 However, no specific configurations are\nrequired for server operating systems or other software, despite the public availability of a\nvariety of specific configurations. Rather, operating units are required to define specific\nconfigurations, starting with an industry benchmark of their choosing, and then tailor it to define\na specific checklist of settings. However, our reviews have consistently found that operating\nunits are deficient in meeting this requirement.\n\n\n\n\n7\n    The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC\n     currently exists for Microsoft Windows Vista\xc2\xae and Windows XP\xc2\xae operating system software.\n\n\n                                                       6\n\x0cU.S. Department of Commerce                                                       Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                   November 15, 2010\n\n\n    II.       Departmental Process for Reporting and Tracking IT Security Weaknesses\n              and Corrective Action Is Deficient\nFISMA requires that the Department\xe2\x80\x99s information security program include a process for\nplanning, implementing, evaluating, and documenting action necessary to remedy security\nweaknesses, including vulnerabilities identified in control assessments.\nThe Department\xe2\x80\x99s mechanism for reporting and tracking IT security weaknesses and corrective\naction is the Plan of Action and Milestones (POA&M), as required by OMB. For the past 2 fiscal\nyears, the Department has required operating units to manage POA&Ms using its Cyber Security\nAssessment and Management tool (CSAM).8 The Department is required to submit a quarterly\nreport to OMB with summary POA&M information. However, we found significant deficiencies\nin the POA&M process that affect the integrity of the information and compromise the\nDepartment\xe2\x80\x99s ability to effectively track the status of corrective action.\n          A. Plans of Action and Milestones Lack Information Needed for Tracking and Oversight\nSenior management, including the Department\xe2\x80\x99s CIO, is not informed of or providing oversight\nto system-level vulnerabilities as required because known security weaknesses are not entered in\nsystem POA&Ms. Likewise, the Department\xe2\x80\x99s summary report to OMB is understating the\nnumber of security weaknesses in Department systems. Eleven systems we reviewed included\nevidence of deficient security controls that are not included in the systems\xe2\x80\x99 POA&Ms. In some\ncases, system security plans indicated that required security controls are \xe2\x80\x9cplanned\xe2\x80\x9d (not\nimplemented), but the absence of the controls and plans to implement them are not reported in\nthe POA&M.\nIn addition, incomplete information hinders management\xe2\x80\x99s ability to effectively monitor the\nscope of security weaknesses and measure actual progress toward correcting them. Eleven of the\n18 systems\xe2\x80\x99 POA&Ms exhibited one or more of the following conditions:\n\n          \xe2\x80\xa2   POA&M-listed weaknesses were \xe2\x80\x9cclosed\xe2\x80\x9d (an assertion that the vulnerability had been\n              remediated) without supporting evidence or even an indication of what corrective action\n              had been taken.\n\n          \xe2\x80\xa2   Descriptions of security weaknesses were so vague that it was unclear what actually\n              needed to be corrected. For example, one weakness was described as \xe2\x80\x9cImproving the\n              C&A Package 800-53:RA-05 Vulnerability Scanning.\xe2\x80\x9d No additional details or milestone\n              activities were provided, leaving the measurement of what was to be done (improve\n              documentation? policies? practices?) and how (types of components? time interval?)\n              unspecified.\n\n          \xe2\x80\xa2   Planning elements such as milestones for remediation activities were omitted or\n              contradictory. For example, a weakness that was targeted for remediation in 2015 had\n              just two milestones\xe2\x80\x94both in 2011, leaving a 4-year gap between the last corrective\n              activity and the planned completion date.\n\n\n8\n    CSAM is a Web-based application that provides a common interface and repository of information.\n\n\n                                                         7\n\x0cU.S. Department of Commerce                                           Final Report No. OIG-11-012-A\nOffice of Inspector General                                                       November 15, 2010\n\n\n\n\n   B. Reporting and Tracking Process Lacks Controls over Data Integrity\nInconsistency in the POA&M process prevents management from having an accurate account of\nsecurity weaknesses and plans to correct them. New in fiscal year (FY) 2010, the departmental\nCIO, along with the Director of Human Resources, instituted an individual performance metric\nfor key system staff that measures the extent to which POA&M items are closed (weaknesses\ncorrected) on schedule. Without policy requirements for scheduling corrective action, closing\nPOA&M-listed weaknesses, and a separation of roles in the POA&M process, a single individual\nmay have the ability to falsely improve his/her performance rating or that of the organization.\nFourteen of the 18 systems we reviewed exhibited evidence of one or more of the following:\n\n   \xe2\x80\xa2   POA&M items were closed but security weaknesses were not corrected. An egregious\n       example of this was a high-impact system for which all 191 items on its POA&M were\n       closed in the first quarter of FY 2010 based on an assertion that the system\xe2\x80\x99s security\n       controls would be reassessed within 6 months. However, the reassessment has been\n       postponed\xe2\x80\x94it is currently planned for the third quarter of FY 2011\xe2\x80\x94while the\n       weaknesses persist, unreported and unmanaged.\n\n   \xe2\x80\xa2   Old POA&M items were closed and reopened as new items, inaccurately reporting the\n       timeliness of corrective action. As a planned date for completion of corrective action\n       approached (or in some cases, after it became due), IT security personnel canceled or\n       closed the POA&M item and added a new item to the POA&M for the same weakness,\n       with a corresponding new planned completion date farther into the future.\n\n   \xe2\x80\xa2   Planned completion dates were excessive for relatively simple actions required to\n       remediate weaknesses. For example, a lack of passwords required for administrator\n       accounts was reported on one system\xe2\x80\x99s POA&M in May 2009; the scheduled completion\n       date for correcting the deficiency was in June 2010. Over 1 year was deemed an\n       appropriate time frame for resolving a critical yet basic security control.\n\n   \xe2\x80\xa2   There was no \xe2\x80\x9cseparation of duties\xe2\x80\x9d\xe2\x80\x94necessary to ensure the integrity of the process.\n       The person requesting closure of the POA&M item (the individual asserting that the\n       weakness has been corrected) was the same person later authorizing the closing of the\n       item (verifying evidence of the corrective action). While some operating units do utilize\n       separate roles in the closure process, this is not consistent Department-wide, and current\n       policy does not address this issue.\nThe Department\xe2\x80\x99s current policy for POA&Ms addresses what types of security deficiencies\nmust be included, instructions for various fields in the POA&M form, and operating units\xe2\x80\x99\nquarterly reporting requirements that have since been superseded by the reporting capabilities of\nCSAM. The policy does not address standards of evidence for closing deficiencies listed on\nPOA&Ms or a role structure to ensure separation of duties with respect to the process. Improved\npolicy and consistency in its application across the Department are needed to ensure that accurate\ndata are available to senior management and in reports to OMB.\n\n\n\n\n                                                8\n\x0cU.S. Department of Commerce                                                        Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                    November 15, 2010\n\n\nIII.       Contingency Planning Weaknesses Threaten Operating Units\xe2\x80\x99 Ability to\n           Restore System Data and Operations After Disruption\nContingency planning controls are intended to ensure the capability to quickly and competently\nrecover from a variety of disruptions, minimizing the loss of availability and preserving the\nintegrity of data. Department policy, in accordance with minimum requirements for federal\nsystems, requires operating units to test contingency plans at least annually to determine their\neffectiveness and the organization\xe2\x80\x99s readiness to execute them.\nThe policy also requires moderate- and high-impact systems to have alternate processing sites\nthat allow critical functions to resume when primary processing capabilities are disrupted. An\nalternate processing site must be geographically separated from the primary processing site in\norder to prevent both from being susceptible to the same local environmental hazards and\ndisasters. High-impact systems\xe2\x80\x99 alternate processing sites must be tested to ensure that\ncapabilities to support contingency operations are in place.\nContingency planning also contributes to continuity of operations in support of the Department\xe2\x80\x99s\nPrimary Mission-Essential Functions\xe2\x80\x94departmental functions that directly support National\nEssential Functions (government functions necessary to lead and sustain the nation during a\ncatastrophic emergency). The Department has four such essential functions, in the following\nareas: (1) export control, (2) environmental satellites, (3) weather forecasting, and (4) spectrum\nmanagement and the Internet. Of the systems we reviewed, one Bureau of Industry and Security\nsystem supports the export control-related function and six NOAA systems support the satellite-\nor weather forecasting-related functions.\nFor the past 2 years, our FISMA reviews have identified instances in which contingency plans\nwere tested insufficiently or not at all. While the Department has made progress,9 our review\nindicated that these same weaknesses, which undermine the Department\xe2\x80\x99s ability to restore\noperations in a timely manner when serious disruption occurs, are continuing.\n       A. Contingency Plans Are Not Adequately Tested\nOf the 18 systems we reviewed, 6 were not tested in accordance with Department policy (see\ntable 4.). Three high-impact systems and one moderate-impact system were not tested annually\nas required, including two NOAA systems that had not been tested since FY 2007; both of those\nsystems support the primary mission-essential weather forecasting function. National Weather\nService personnel currently responsible for the systems explained that they received ownership\nof the systems from the weather service\xe2\x80\x99s Office of the Chief Information Officer in the second\nquarter of FY 2010, and that the contingency plans will be tested in FY 2011.\nTwo systems\xe2\x80\x99 contingency plan tests were inadequate: one high-impact system\xe2\x80\x99s test did not\ncomply with policy requirements in that it lacked an alternate processing site at which to conduct\ntesting. And a business continuity/disaster recovery test was conducted on one moderate-impact\nsystem, but the test did not validate the recovery and restoration procedures described in the\ncontingency plan.\n\n9\n    In FY 2008, 44 percent of the contingency plans we reviewed were tested in accordance with Department policy;\n     in FY 2009, 50 percent were adequately tested; in FY 2010, 67 percent were adequately tested.\n\n\n                                                          9\n\x0cU.S. Department of Commerce                                                        Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                    November 15, 2010\n\n\n\n\n                   Table 4. Summary of Contingency Plan Testing\n               System                                   Contingency Plans\n               Impact          Systems         Adequately          Not Inadequately\n               Level          Reviewed            Tested        Tested      Tested\n               High                  6                  2            3            1\n               Moderate             12                10             1            1\n                Total               18                 12            4            2\n               Source: OIG\n\n\n\nTesting informs and affects other required contingency planning activities and controls; the lack\nof contingency plan testing could have a ripple effect on operating units\xe2\x80\x99 ability to respond and\nrecover in the event of a system failure, emergency, or other disruption. Such other elements\ninclude updating the plan based on lessons learned in the testing, conducting annual refresher\ncontingency training of personnel, testing backup information, and (for high-impact systems)\ntesting full recovery and reconstitution procedures. All of these actions are part of the minimum\nrequirements for preparing for emergency response, backup operations, and post-disaster\nrecovery.\nIn the case of three systems whose contingency plans were tested, the depth and rigor of testing\nperformed may no longer be considered sufficient under recently revised NIST guidance for\ncontingency planning.10 Three moderate-impact systems\xe2\x80\x99 contingency plan tests were \xe2\x80\x9ctabletop,\xe2\x80\x9d\nrather than \xe2\x80\x9cfunctional,\xe2\x80\x9d exercises.11 The revised guidance indicates that functional exercises\nshould be conducted for moderate- and high-impact systems, while tabletop exercises are\nsufficient for low-impact systems only. Department policy requires operating units to follow this\nguidance for contingency planning, but does not refer to the guidance in its contingency plan\ntesting and exercises requirements. The policy requires that the depth and rigor of testing\nincrease with the system\xe2\x80\x99s impact level, but does not provide concrete examples.\n\n     B. Systems Lack Alternate Processing Sites, Increasing the Risk of Not Being Available\n     When Needed\nFive systems that are required to have alternate processing sites do not, including three NOAA\nsystems (of which two have high-availability requirements) that support the weather forecasting\nprimary mission-essential function. NOAA has plans to arrange alternate processing sites by the\nend of 2011 and 2015, respectively, for the two high-availability systems. The third NOAA\nsystem\xe2\x80\x99s documentation indicates that the lack of an alternate processing site is an accepted risk;\nthe system is scheduled to be decommissioned by the end of 2011. Planning documentation for\n\n10\n    National Institute of Standards and Technology. May 2010. Contingency Planning Guide for Federal Information\n   Systems (NIST SP 800-34, Revision 1).\n11\n   According to NIST SP 800-34, tabletop exercises are discussion-based, in which personnel meet in a classroom\n   setting to discuss their roles during an emergency and their responses to a particular situation. Functional\n   exercises allow personnel to validate their operational readiness for emergencies by performing their duties in a\n   simulated operational environment.\n\n\n                                                        10\n\x0cU.S. Department of Commerce                                                     Final Report No. OIG-11-012-A\nOffice of Inspector General                                                                 November 15, 2010\n\n\nthe NOAA systems indicates that the lack of alternate processing sites is due to \xe2\x80\x9cbudget\nconstraint and technical complexity\xe2\x80\x9d or other funding issues. However, the systems\xe2\x80\x99 plans of\naction and milestones do not include cost estimates for resolving these deficiencies. Two\nmoderate-impact USPTO systems are subject to the operating unit\xe2\x80\x99s plan to arrange alternate\nprocessing sites for all its systems in a phased approach that will be completed in 2015.\nParticularly for systems supporting primary mission-essential functions, the lack of alternate\nprocessing sites may pose undue risk of prolonged disruption to systems that are critical to\nensuring continuity of essential governmental operations. High-availability systems that support\nweather forecasting and lack alternate processing sites imperil NOAA\xe2\x80\x99s ability to continually\nmeet its goals of saving lives, protecting property, and creating economic opportunity. Based on\nour interviews with NOAA personnel and reviews of the systems\xe2\x80\x99 contingency planning\ndocumentation, events leading to a loss of the availability of the systems\xe2\x80\x99 primary processing\nsites would have dire consequences for the weather forecasting-related function.\n\n\nIV.        Persistent Deficiencies in Security Plans and Control Assessments Reduce\n           Overall Level of Information Assurance\nConsistent with many of our previous FISMA reviews, system security plans lacked information\nnecessary to adequately describe system-specific control requirements and implementations\xe2\x80\x94\ninformation that senior officials need to assess risk. Security control assessments\xe2\x80\x94which\nprovide assurance that controls are adequately implemented, operating as intended, and\nproviding the resulting security that systems require\xe2\x80\x94depend upon clearly-defined requirements\nand adequately described implementations in order to accurately judge the effectiveness of\nsecurity controls in the appropriate technologies. Thirteen of 18 systems\xe2\x80\x99 security plans lacked\nsystem-specific requirements or implementation details for security controls.\nIn addition, control assessments for 14 of 18 systems did not provide needed assurance; for\nexample, some assessments of controls implemented in system components consisted of reviews\nof policy and procedures or interviews of staff, rather than technical examinations to validate\ncomponents\xe2\x80\x99 configurations or tests to determine whether controls were operating correctly. In\nother cases, controls were assessed for only one type of component rather than what are often\nseveral (sometimes many) component types in which controls are implemented.\nWhile we have previously reported these issues to operating units, often for individual systems\nand in great detail, and made the Department\xe2\x80\x99s Office of the Chief Information Officer aware,\nthese deficiencies continue to exist to an extent that causes concern. The Department\xe2\x80\x99s efforts, in\nresponse to our IT security workforce audit,12 to increase the knowledge and skills of personnel\nwith IT security responsibilities should eventually result in improvements in these areas.\nHowever, it is not clear that senior officials are sufficiently aware of what have been\nlongstanding problems that require more urgent attention.\n\n\n\n\n12\n     Commerce OIG, Commerce Should Take Steps to Strengthen Its IT Security Workforce.\n\n\n                                                       11\n\x0cU.S. Department of Commerce                                           Final Report No. OIG-11-012-A\nOffice of Inspector General                                                       November 15, 2010\n\n\n                                   Recommendations\nTo improve the effectiveness of the Commerce information technology security program and\npractices, we recommend that senior officials with interim responsibility for the Deputy\nSecretary position ensure that the Chief Information Officer and senior management of the\noperating units work together to:\n   1. Revise the departmental information technology security policy by providing specific\n      implementation requirements that will ensure better and more consistent practices across\n      the Department. Specifically,\n           a. improve vulnerability scanning and patch management policies to ensure\n              comprehensive identification of vulnerabilities and timely remediation of software\n              flaws;\n           b. add specific configuration- settings requirements for operating systems, major\n              applications, and other products; and\n           c. clarify requirements for the depth and rigor of contingency plan testing.\n   2. Ensure that operating units take corrective action as necessary in response to our\n      vulnerability scan assessments;\n   3. Increase Department and operating unit management oversight of vulnerability scanning\n      and patch management so that software flaws are comprehensively identified and\n      remediated in a timely manner;\n   4. Increase Department and operating unit management oversight of configuration settings\n      to ensure that secure settings are defined, documented, and implemented for operating\n      systems, major applications, and other products, as required;\n   5. Revise and implement POA&M policy to include integrity controls (including separation\n      of duties), evidence requirements, and management oversight;\n   6. Ensure that operating units conduct contingency plan tests as required;\n   7. Identify all systems without required alternate processing sites and determine the most\n      efficient approach, resources required, and a schedule for arranging sites; and\n   8. Ensure that system security plans adequately describe security controls and that control\n      assessments provide needed assurance.\n\n\n\n\n                                               12\n\x0cU.S. Department of Commerce                                          Final Report No. OIG-11-012-A\nOffice of Inspector General                                                      November 15, 2010\n\n\n                        Summary of Department Response\nIn responding to our draft report, the Department\xe2\x80\x99s Chief Information Officer concurred with our\nfindings and recommendations. See appendix B for the complete response.\n\n\n\n\n                                               13\n\x0cU.S. Department of Commerce                                           Final Report No. OIG-11-012-A\nOffice of Inspector General                                                       November 15, 2010\n\n\n             Appendix A: Objectives, Scope, and Methodology\nIn accordance with FISMA, our objective was to assess the effectiveness of the Department's\ninformation security program and practices. This report describes key issues that most require\nsenior management\xe2\x80\x99s attention. In general, we do not detail our findings for the individual\nsystems reviewed unless such is necessary for clarity. We focused on aggregate results to assess\nthe overall effectiveness of the Department\xe2\x80\x99s IT security program. We will submit a separate\nreport to OMB, answering a full scope of security-related questions, in further accordance with\nFISMA requirements.\n\nOur assessment focused on a targeted selection of 18 systems from the following departmental\noperating units/sub-units:\n\n   \xe2\x80\xa2   Bureau of Industry and Security (BIS)\n\n   \xe2\x80\xa2   U.S. Census Bureau\n\n   \xe2\x80\xa2   Economic Development Administration (EDA)\n\n   \xe2\x80\xa2   National Oceanic and Atmospheric Administration (NOAA)\n       -   NOAA\xe2\x80\x99s National Environmental Satellite, Data, and Information Service (NESDIS)\n       -   NOAA\xe2\x80\x99s National Weather Service (NWS)\n       -   NOAA\xe2\x80\x99s National Ocean Service (NOS)\n       -   NOAA\xe2\x80\x99s Office of the Chief Information Officer (OCIO)\n\n   \xe2\x80\xa2   Office of the Secretary (OS)\n\n   \xe2\x80\xa2   U.S. Patent and Trademark Office (USPTO)\n\nWe selected high- and moderate-impact systems, some of which support primary mission-\nessential functions, because security breaches of these systems would have the greatest negative\nimpact on the confidentiality, integrity, or availability of data and Department operations. (See\ntable 5.)\n\nTo complete our assessment, we reviewed systems\xe2\x80\x99 security-related documentation, including\nsystem security plans, configuration settings checklists, Plans of Action and Milestones, security\ncontrol assessments, and quarterly vulnerability scans. We performed our own vulnerability\nscans of 12 systems and assessed configuration settings in all 18. We utilized two NOAA system\nvulnerability scans that were adequately performed, during our fieldwork, by a NOAA unit\nnewly responsible for the systems. We did not conduct vulnerability scanning of three Census\nsystems due to concerns that our work might disrupt 2010 decennial census operations. Our\nvulnerability assessment of BIS\xe2\x80\x99s Investigative Management System Redesign was limited to\nconfiguration settings-related activities because vulnerability scanning was not appropriate for\nthe technical composition of the system.\n\n\n\n                                                14\n\x0cU.S. Department of Commerce                                          Final Report No. OIG-11-012-A\nOffice of Inspector General                                                      November 15, 2010\n\n\nWe performed our audit work from June to October 2010 at Commerce headquarters in\nWashington, D.C., and various Census, NOAA, and USPTO facilities in Maryland and Virginia.\nWe conducted our audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\n\n\n                              Table 5. Systems Reviewed\n                                                                       Supports\n                                                                       Primary\n                                                                       Mission-\n       Operating                             Impact                    Essential\n       Unit/Sub-unit                          Level                    Function\n       BIS                                    High                        X\n       Census                               Moderate\n       Census                               Moderate\n       Census                               Moderate\n       EDA                                  Moderate\n       NOAA                                   High                         X\n       NOAA                                 Moderate\n       NOS                                  Moderate\n       NESDIS                                 High                         X\n       NESDIS                                 High                         X\n       NESDIS                               Moderate\n       NWS                                    High                         X\n       NWS                                    High                         X\n       NWS                                  Moderate                       X\n       OS                                   Moderate\n       USPTO                                Moderate\n       USPTO                                Moderate\n       USPTO                                Moderate\n       Source: Department of Commerce\n\n\n\n\n                                               15\n\x0cU.S. Department of Commerce                                         Final Report No. OIG-11-012-A\nOffice of Inspector General                                                     November 15, 2010\n\n\nWe reviewed the Department\xe2\x80\x99s compliance with applicable provisions of law, regulation, and\nmandatory guidance, including\n\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002\n\n   \xe2\x80\xa2   IT Security Program Policy and Minimum Implementation Standards, U.S. Department\n       of Commerce, introduced by the CIO on March 9, 2009\n\n   \xe2\x80\xa2   NIST Federal Information Processing Standards Publications\n       -   199, Standards for Security Categorization of Federal Information and Information\n           Systems\n       -   200, Minimum Security Requirements for Federal Information and Information\n           Systems\n\n   \xe2\x80\xa2   NIST Special Publications\n       -   800-18, Guide for Developing Security Plans for Information Technology Systems\n       -   800-34, Contingency Planning Guide for Federal Information Systems\n       -   800-37, Guide for the Security Certification and Accreditation of Federal Information\n           Systems\n       -   800-53, Recommended Security Controls for Federal Information Systems\n       -   800-53A, Guide for Assessing the Security Controls in Federal Information Systems\n       -   800-70, Security Configuration Checklists Program for IT Products\n       -   800-115, Technical Guide to Information Security Testing and Assessment\n\n\n\n\n                                              16\n\x0cU.S. Department of Commerce                       Final Report No. OIG-11-012-A\nOffice of Inspector General                                   November 15, 2010\n\n\n               Appendix B: Full Text of Department Response\n\n\n\n\n(OAE-19904)\n\n\n                                    17\n\x0c"